system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-10-18 14:23:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Import IP Filter version 4.1.10

Browse source
This commit is contained in:
Guido van Rooij 2005-12-30 11:22:11 +00:00
parent 8158c4468d
commit fc79eaf127
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/vendor-sys/ipfilter/dist/; revision=153872
35 changed files with 1057 additions and 655 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

806
sys/contrib/ipfilter/netinet/fil.c
View file

File diff suppressed because it is too large Load diff

26
sys/contrib/ipfilter/netinet/ip_auth.c
View file

@ -1,5 +1,3 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1998-2003 by Darren Reed & Guido van Rooij.
*
@ -119,7 +117,7 @@ extern struct ifqueue ipintrq; /* ip packet input queue */
/* END OF INCLUDES */
#if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.73.2.3 2004/08/26 11:25:21 darrenr Exp";
static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.5 2005/06/12 07:18:14 darrenr Exp $";
#endif
@ -368,9 +366,7 @@ int mode;
#if defined(_KERNEL) && !defined(MENTAT) && !defined(linux) && \
(!defined(__FreeBSD_version) || (__FreeBSD_version < 501000))
struct ifqueue *ifq;
# ifdef USE_SPL
int s;
# endif /* USE_SPL */
SPL_INT(s);
#endif
frauth_t auth, *au = &auth, *fra;
int i, error = 0, len;
@ -507,10 +503,10 @@ int mode;
# ifdef MENTAT
error = !putq(fra->fra_q, m);
# else /* MENTAT */
# ifdef linux
# if defined(linux) || defined(AIX)
# else
# if (_BSDI_VERSION >= 199802) || defined(__OpenBSD__) || \
(defined(__sgi) && (IRIX >= 60500) || \
(defined(__sgi) && (IRIX >= 60500) || defined(AIX) || \
(defined(__FreeBSD__) && (__FreeBSD_version >= 470102)))
error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL,
NULL);
@ -527,12 +523,12 @@ int mode;
# ifdef MENTAT
error = !putq(fra->fra_q, m);
# else /* MENTAT */
# ifdef linux
# if defined(linux) || defined(AIX)
# else
# if __FreeBSD_version >= 501000
# if (__FreeBSD_version >= 501000)
netisr_dispatch(NETISR_IP, m);
# else
# if IRIX >= 60516
# if (IRIX >= 60516)
ifq = &((struct ifnet *)fra->fra_info.fin_ifp)->if_snd;
# else
ifq = &ipintrq;
@ -663,9 +659,7 @@ void fr_authexpire()
register frauthent_t *fae, **faep;
register frentry_t *fr, **frp;
mb_t *m;
# if !defined(MENAT) && defined(_KERNEL) && defined(USE_SPL)
int s;
# endif
SPL_INT(s);
if (fr_auth_lock)
return;
@ -714,9 +708,7 @@ frentry_t *fr, **frptr;
{
frauthent_t *fae, **faep;
int error = 0;
# if !defined(MENAT) && defined(_KERNEL) && defined(USE_SPL)
int s;
#endif
SPL_INT(s);
if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR))
return EIO;

4
sys/contrib/ipfilter/netinet/ip_auth.h
View file

@ -1,11 +1,9 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1997-2001 by Darren Reed & Guido Van Rooij.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: ip_auth.h,v 2.16 2003/07/25 12:29:56 darrenr Exp
* $Id: ip_auth.h,v 2.16 2003/07/25 12:29:56 darrenr Exp $
*
*/
#ifndef __IP_AUTH_H__

153
sys/contrib/ipfilter/netinet/ip_compat.h
View file

@ -1,12 +1,10 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_compat.h 1.8 1/14/96
* Id: ip_compat.h,v 2.142.2.25 2005/03/28 09:33:36 darrenr Exp
* $Id: ip_compat.h,v 2.142.2.33 2005/12/04 23:40:17 darrenr Exp $
*/
#ifndef __IP_COMPAT_H__
@ -768,7 +766,7 @@ typedef u_int32_t u_32_t;
/* F R E E B S D */
/* ----------------------------------------------------------------------- */
#ifdef __FreeBSD__
# if defined(_KERNEL) && !defined(IPFILTER_LKM) && !defined(KLD_MODULE)
# if defined(_KERNEL)
# if (__FreeBSD_version >= 500000)
# include "opt_bpf.h"
# else
@ -1122,6 +1120,7 @@ extern mb_t *m_pullup __P((mb_t *, int));
# define mbuf sk_buff
# define mtod(m, t) ((t)(m)->data)
# define m_data data
# define m_len len
# define m_next next
# define M_DUPLICATE(m) skb_clone((m), in_interrupt() ? GFP_ATOMIC : \
@ -1206,6 +1205,115 @@ typedef u_int32_t u_32_t;
#endif
/* ----------------------------------------------------------------------- */
/* A I X */
/* ----------------------------------------------------------------------- */
#if defined(_AIX51)
# undef MENTAT
# include <sys/lock.h>
# include <sys/sysmacros.h>
# ifdef _KERNEL
# define rw_read_locked(x) 0
# include <net/net_globals.h>
# include <net/net_malloc.h>
# define KMUTEX_T simple_lock_t
# define KRWLOCK_T complex_lock_t
# define USE_MUTEXES 1
# define USE_SPL 1
# define READ_ENTER(x) lock_read((x)->ipf_lk)
# define WRITE_ENTER(x) lock_write((x)->ipf_lk)
# define MUTEX_DOWNGRADE(x) lock_write_to_read((x)->ipf_lk)
# define RWLOCK_INIT(x, y) lock_alloc(&(x)->ipf_lk, \
LOCK_ALLOC_PIN, \
(u_short)y, 0); \
lock_init((x)->ipf_lk, TRUE)
# define RWLOCK_EXIT(x) lock_done((x)->ipf_lk)
# define RW_DESTROY(x) lock_free(&(x)->ipf_lk)
# define MUTEX_ENTER(x) simple_lock((x)->ipf_lk)
# define MUTEX_INIT(x, y) lock_alloc(&(x)->ipf_lk, \
LOCK_ALLOC_PIN, \
(u_short)y, 0); \
simple_lock_init((x)->ipf_lk)
# define MUTEX_DESTROY(x) lock_free(&(x)->ipf_lk)
# define MUTEX_EXIT(x) simple_unlock((x)->ipf_lk)
# define MUTEX_NUKE(x) bzero(&(x)->ipf_lk, sizeof((x)->ipf_lk))
# define ATOMIC_INC64(x) { MUTEX_ENTER(&ipf_rw); (x)++; \
MUTEX_EXIT(&ipf_rw); }
# define ATOMIC_DEC64(x) { MUTEX_ENTER(&ipf_rw); (x)--; \
MUTEX_EXIT(&ipf_rw); }
# define ATOMIC_INC32(x) { MUTEX_ENTER(&ipf_rw); (x)++; \
MUTEX_EXIT(&ipf_rw); }
# define ATOMIC_DEC32(x) { MUTEX_ENTER(&ipf_rw); (x)--; \
MUTEX_EXIT(&ipf_rw); }
# define ATOMIC_INCL(x) { MUTEX_ENTER(&ipf_rw); (x)++; \
MUTEX_EXIT(&ipf_rw); }
# define ATOMIC_DECL(x) { MUTEX_ENTER(&ipf_rw); (x)--; \
MUTEX_EXIT(&ipf_rw); }
# define ATOMIC_INC(x) { MUTEX_ENTER(&ipf_rw); (x)++; \
MUTEX_EXIT(&ipf_rw); }
# define ATOMIC_DEC(x) { MUTEX_ENTER(&ipf_rw); (x)--; \
MUTEX_EXIT(&ipf_rw); }
# define SPL_NET(x) x = splnet()
# define SPL_IMP(x) x = splimp()
# undef SPL_X
# define SPL_X(x) splx(x)
# define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d)
extern void* getifp __P((char *, int));
# define GETIFP(n, v) getifp(n, v)
# define GET_MINOR minor
# define SLEEP(id, n) sleepx((id), PZERO+1, 0)
# define WAKEUP(id,x) wakeup(id)
# define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c))
# define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c))
# define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c))
# define BCOPYOUT(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c))
# define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_TEMP, M_NOWAIT)
# define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_TEMP, \
((c) > 4096) ? M_WAITOK : M_NOWAIT)
# define KFREE(x) FREE((x), M_TEMP)
# define KFREES(x,s) FREE((x), M_TEMP)
# define MSGDSIZE(x) mbufchainlen(x)
# define M_LEN(x) (x)->m_len
# define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL)
# define GETKTIME(x)
# define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \
((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
# define IPF_PANIC(x,y)
typedef struct mbuf mb_t;
# endif /* _KERNEL */
/*
* These are from's Solaris' #defines for little endian.
*/
#if !defined(IP6F_MORE_FRAG)
# define IP6F_MORE_FRAG 0x0100
#endif
#if !defined(IP6F_RESERVED_MASK)
# define IP6F_RESERVED_MASK 0x0600
#endif
#if !defined(IP6F_OFF_MASK)
# define IP6F_OFF_MASK 0xf8ff
#endif
struct ip6_ext {
u_char ip6e_nxt;
u_char ip6e_len;
};
typedef int ioctlcmd_t;
typedef int minor_t;
/*
* Really, any arch where sizeof(long) != sizeof(int).
*/
typedef unsigned int u_32_t;
# define U_32_T 1
# define OS_RECOGNISED 1
#endif /* _AIX51 */
#ifndef OS_RECOGNISED
#error ip_compat.h does not recognise this platform/OS.
#endif
@ -1221,8 +1329,11 @@ typedef u_int32_t u_32_t;
* For BSD kernels, if bpf is in the kernel, enable ipfilter to use bpf in
* filter rules.
*/
#if !defined(IPFILTER_BPF) && ((NBPF > 0) || (NBPFILTER > 0))
# define IPFILTER_BPF
#if !defined(IPFILTER_BPF)
# if (defined(NBPF) && (NBPF > 0)) || (defined(DEV_BPF) && (DEV_BPF > 0)) || \
(defined(NBPFILTER) && (NBPFILTER > 0))
# define IPFILTER_BPF
# endif
#endif
/*
@ -1290,10 +1401,10 @@ typedef union {
#endif
#if defined(linux) && defined(_KERNEL)
extern INLINE void ipf_read_enter __P((ipfrwlock_t *));
extern INLINE void ipf_write_enter __P((ipfrwlock_t *));
extern INLINE void ipf_rw_exit __P((ipfrwlock_t *));
extern INLINE void ipf_rw_downgrade __P((ipfrwlock_t *));
extern void ipf_read_enter __P((ipfrwlock_t *));
extern void ipf_write_enter __P((ipfrwlock_t *));
extern void ipf_rw_exit __P((ipfrwlock_t *));
extern void ipf_rw_downgrade __P((ipfrwlock_t *));
#endif
/*
@ -1313,6 +1424,7 @@ typedef struct mb_s {
# define M_LEN(x) (x)->mb_len
# define M_DUPLICATE(x) (x)
# define GETKTIME(x) gettimeofday((struct timeval *)(x), NULL)
# undef MTOD
# define MTOD(m, t) ((t)(m)->mb_buf)
# define FREE_MB_T(x)
# define SLEEP(x,y) 1;
@ -1327,8 +1439,8 @@ typedef struct mb_s {
# define KFREE(x) free(x)
# define KFREES(x,s) free(x)
# define GETIFP(x, v) get_unit(x,v)
# define COPYIN(a,b,c) (bcopy((a), (b), (c)), 0)
# define COPYOUT(a,b,c) (bcopy((a), (b), (c)), 0)
# define COPYIN(a,b,c) bcopywrap((a), (b), (c))
# define COPYOUT(a,b,c) bcopywrap((a), (b), (c))
# define BCOPYIN(a,b,c) (bcopy((a), (b), (c)), 0)
# define BCOPYOUT(a,b,c) (bcopy((a), (b), (c)), 0)
# define COPYDATA(m, o, l, b) bcopy(MTOD((mb_t *)m, char *) + (o), \
@ -1563,6 +1675,12 @@ extern char *fr_getifname __P((struct ifnet *, char *));
# define ATOMIC_DEC(x) (x)--
#endif
#if defined(USE_SPL) && defined(_KERNEL)
# define SPL_INT(x) int x
#else
# define SPL_INT(x)
#endif
/*
* If there are no atomic operations for bit sizes defined, define them to all
* use a generic one that works for all sizes.
@ -2037,9 +2155,10 @@ typedef struct tcpiphdr tcpiphdr_t;
#ifndef IPPROTO_DSTOPTS
# define IPPROTO_DSTOPTS 60
#endif
#ifndef IPPROTO_FRAGMENT
# define IPPROTO_FRAGMENT 44
#ifndef IPPROTO_MOBILITY
# define IPPROTO_MOBILITY 135
#endif
#ifndef ICMP_ROUTERADVERT
# define ICMP_ROUTERADVERT 9
#endif
@ -2273,7 +2392,7 @@ typedef struct tcpiphdr tcpiphdr_t;
/*
* ICMP error replies have an IP header (20 bytes), 8 bytes of ICMP data,
* another IP header and then 64 bits of data, totalling 56. Of course,
* the last 64 bits is dependant on that being available.
* the last 64 bits is dependent on that being available.
*/
#define ICMPERR_ICMPHLEN 8
#define ICMPERR_IPICMPHLEN (20 + 8)
@ -2292,4 +2411,8 @@ typedef struct tcpiphdr tcpiphdr_t;
# define DPRINT(x)
#endif
#ifdef RESCUE
# undef IPFILTER_BPF
#endif
#endif /* __IP_COMPAT_H__ */

34
sys/contrib/ipfilter/netinet/ip_fil.h
View file

@ -1,17 +1,17 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
* Id: ip_fil.h,v 2.170.2.18 2005/03/28 10:47:52 darrenr Exp
* $Id: ip_fil.h,v 2.170.2.23 2005/12/04 23:39:28 darrenr Exp $
*/
#ifndef __IP_FIL_H__
#define __IP_FIL_H__
#include "netinet/ip_compat.h"
#ifndef SOLARIS
# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif
@ -24,7 +24,7 @@
# endif
#endif
#if defined(__STDC__) || defined(__GNUC__)
#if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
# define SIOCADAFR _IOW('r', 60, struct ipfobj)
# define SIOCRMAFR _IOW('r', 61, struct ipfobj)
# define SIOCSETFF _IOW('r', 62, u_int)
@ -904,6 +904,7 @@ typedef struct tcpdata {
#define TCP_WSCALE_SEEN 0x00000001
#define TCP_WSCALE_FIRST 0x00000002
#define TCP_SACK_PERMIT 0x00000004
typedef struct tcpinfo {
@ -913,6 +914,9 @@ typedef struct tcpinfo {
} tcpinfo_t;
/*
* Structures to define a GRE header as seen in a packet.
*/
struct grebits {
u_32_t grb_C:1;
u_32_t grb_R:1;
@ -947,7 +951,9 @@ typedef struct grehdr {
#define gr_A gr_bits.grb_A
#define gr_ver gr_bits.grb_ver
/*
* GRE information tracked by "keep state"
*/
typedef struct greinfo {
u_short gs_call[2];
u_short gs_flags;
@ -957,6 +963,20 @@ typedef struct greinfo {
#define GRE_REV(x) ((ntohs(x) >> 13) & 7)
/*
* Format of an Authentication header
*/
typedef struct authhdr {
u_char ah_next;
u_char ah_plen;
u_short ah_reserved;
u_32_t ah_spi;
u_32_t ah_seq;
/* Following the sequence number field is 0 or more bytes of */
/* authentication data, as specified by ah_plen - RFC 2402. */
} authhdr_t;
/*
* Timeout tail queue list member
*/
@ -1237,8 +1257,9 @@ extern ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_hostmap;
extern ipfmutex_t ipf_timeoutlock, ipf_stinsert, ipf_natio, ipf_nat_new;
extern ipfrwlock_t ipf_mutex, ipf_global, ip_poolrw, ipf_ipidfrag;
extern ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
extern ipfrwlock_t ipf_frcache;
extern char *memstr __P((char *, char *, int, int));
extern char *memstr __P((const char *, char *, int, int));
extern int count4bits __P((u_32_t));
extern int frrequest __P((int, ioctlcmd_t, caddr_t, int, int));
extern char *getifname __P((struct ifnet *));
@ -1311,7 +1332,6 @@ extern void fr_fixskip __P((frentry_t **, frentry_t *, int));
extern void fr_forgetifp __P((void *));
extern frentry_t *fr_getrulen __P((int, char *, u_32_t));
extern void fr_getstat __P((struct friostat *));
extern int fr_icmp4errortype __P((int));
extern int fr_ifpaddr __P((int, int, void *,
struct in_addr *, struct in_addr *));
extern int fr_initialise __P((void));

47
sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
View file

@ -1,5 +1,3 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2003 by Darren Reed.
*
@ -7,7 +5,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_fil_freebsd.c,v 2.53.2.25 2005/02/01 03:15:56 darrenr Exp";
static const char rcsid[] = "@(#)$Id: ip_fil_freebsd.c,v 2.53.2.27 2005/08/20 13:48:19 darrenr Exp $";
#endif
#if defined(KERNEL) || defined(_KERNEL)
@ -125,7 +123,7 @@ static int fr_send_ip __P((fr_info_t *, mb_t *, mb_t **));
# ifdef USE_MUTEXES
ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert;
ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock;
ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag;
ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ipf_frcache;
ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
# endif
int ipf_locks_done = 0;
@ -147,6 +145,19 @@ int (*fr_checkp) __P((ip_t *ip, int hlen, void *ifp, int out, mb_t **mp));
#endif /* __FreeBSD_version >= 500011 */
#if (__FreeBSD_version >= 502103)
static eventhandler_tag ipf_arrivetag, ipf_departtag, ipf_clonetag;
static void ipf_ifevent(void *arg);
static void ipf_ifevent(arg)
void *arg;
{
frsync(NULL);
}
#endif
#if (__FreeBSD_version >= 501108) && defined(_KERNEL)
static int
@ -203,6 +214,7 @@ int iplattach()
RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex");
MUTEX_INIT(&ipf_timeoutlock, "ipf timeout queue mutex");
RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock");
RWLOCK_INIT(&ipf_frcache, "ipf cache rwlock");
RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock");
ipf_locks_done = 1;
@ -271,6 +283,18 @@ int iplattach()
}
# endif
# endif
#if (__FreeBSD_version >= 502103)
ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \
ipf_ifevent, NULL, \
EVENTHANDLER_PRI_ANY);
ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \
ipf_ifevent, NULL, \
EVENTHANDLER_PRI_ANY);
ipf_clonetag = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \
NULL, EVENTHANDLER_PRI_ANY);
#endif
if (fr_checkp != fr_check) {
fr_savep = fr_checkp;
fr_checkp = fr_check;
@ -315,6 +339,18 @@ int ipldetach()
if (fr_control_forwarding & 2)
ipforwarding = 0;
#if (__FreeBSD_version >= 502103)
if (ipf_arrivetag != NULL) {
EVENTHANDLER_DEREGISTER(ifnet_arrival_event, ipf_arrivetag);
}
if (ipf_departtag != NULL) {
EVENTHANDLER_DEREGISTER(ifnet_departure_event, ipf_departtag);
}
if (ipf_clonetag != NULL) {
EVENTHANDLER_DEREGISTER(if_clone_event, ipf_clonetag);
}
#endif
SPL_NET(s);
#if (__FreeBSD_version >= 300000)
@ -380,6 +416,7 @@ int ipldetach()
MUTEX_DESTROY(&ipf_timeoutlock);
MUTEX_DESTROY(&ipf_rw);
RW_DESTROY(&ipf_mutex);
RW_DESTROY(&ipf_frcache);
RW_DESTROY(&ipf_ipidfrag);
RW_DESTROY(&ipf_global);
ipf_locks_done = 0;
@ -421,7 +458,7 @@ int mode;
friostat_t fio;
#if (BSD >= 199306) && defined(_KERNEL)
if ((securelevel >= 2) && (mode & FWRITE))
if ((securelevel >= 3) && (mode & FWRITE))
return EPERM;
#endif

26
sys/contrib/ipfilter/netinet/ip_frag.c
View file

@ -1,5 +1,3 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2003 by Darren Reed.
*
@ -47,7 +45,7 @@ struct file;
# endif
#endif
#if !defined(__SVR4) && !defined(__svr4__)
# if defined(_KERNEL) && !defined(__sgi)
# if defined(_KERNEL) && !defined(__sgi) && !defined(AIX)
# include <sys/kernel.h>
# endif
#else
@ -102,7 +100,7 @@ extern struct timeout fr_slowtimer_ch;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_frag.c,v 2.77 2004/01/27 00:24:54 darrenr Exp";
static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.77.2.4 2005/08/20 13:48:21 darrenr Exp $";
#endif
@ -237,7 +235,7 @@ ipfr_t *table[];
ip = fin->fin_ip;
if (pass & FR_FRSTRICT)
if ((ip->ip_off & IP_OFFMASK) != 0)
if (fin->fin_off != 0)
return NULL;
frag.ipfr_p = ip->ip_p;
@ -277,8 +275,16 @@ ipfr_t *table[];
return NULL;
}
if ((fra->ipfr_rule = fin->fin_fr) != NULL)
fin->fin_fr->fr_ref++;
fra->ipfr_rule = fin->fin_fr;
if (fra->ipfr_rule != NULL) {
frentry_t *fr;
fr = fin->fin_fr;
MUTEX_ENTER(&fr->fr_lock);
fr->fr_ref++;
MUTEX_EXIT(&fr->fr_lock);
}
/*
* Insert the fragment into the fragment table, copy the struct used
@ -746,9 +752,7 @@ void fr_fragexpire()
{
ipfr_t **fp, *fra;
nat_t *nat;
#if defined(USE_SPL) && defined(_KERNEL)
int s;
#endif
SPL_INT(s);
if (fr_frag_lock)
return;
@ -814,7 +818,7 @@ void fr_fragexpire()
/* expectation of this being called twice per second. */
/* ------------------------------------------------------------------------ */
#if !defined(_KERNEL) || (!SOLARIS && !defined(__hpux) && !defined(__sgi) && \
!defined(__osf__))
!defined(__osf__) && !defined(linux))
# if defined(_KERNEL) && ((BSD >= 199103) || defined(__sgi))
void fr_slowtimer __P((void *ptr))
# else

8
sys/contrib/ipfilter/netinet/ip_frag.h
View file

@ -1,12 +1,10 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_frag.h 1.5 3/24/96
* Id: ip_frag.h,v 2.23.2.1 2004/03/29 16:21:56 darrenr Exp
* $Id: ip_frag.h,v 2.23.2.2 2005/06/10 18:02:37 darrenr Exp $
*/
#ifndef __IP_FRAG_H__
@ -80,7 +78,11 @@ extern void fr_slowtimer __P((void));
extern void fr_slowtimer __P((void *));
# endif
#else
# if defined(linux) && defined(_KERNEL)
extern void fr_slowtimer __P((long));
# else
extern int fr_slowtimer __P((void));
# endif
#endif
#endif /* __IP_FRAG_H__ */

7
sys/contrib/ipfilter/netinet/ip_ftp_pxy.c
View file

@ -1,5 +1,3 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1997-2003 by Darren Reed
*
@ -8,7 +6,7 @@
* Simple FTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
* Id: ip_ftp_pxy.c,v 2.88.2.15 2005/03/19 19:38:10 darrenr Exp
* $Id: ip_ftp_pxy.c,v 2.88.2.16 2005/12/04 23:39:27 darrenr Exp $
*/
#define IPF_FTP_PROXY
@ -473,9 +471,10 @@ int dlen;
{
u_int a1, a2, a3, a4, data_ip;
char newbuf[IPF_FTPBUFSZ];
char *s, *brackets[2];
const char *brackets[2];
u_short a5, a6;
ftpside_t *f;
char *s;
if (ippr_ftp_forcepasv != 0 &&
ftp->ftp_side[0].ftps_cmds != FTPXY_C_PASV) {

15
sys/contrib/ipfilter/netinet/ip_htable.c
View file

@ -1,5 +1,3 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
*
@ -53,7 +51,7 @@ struct file;
/* END OF INCLUDES */
#if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_htable.c,v 2.34.2.2 2004/10/17 15:49:15 darrenr Exp";
static const char rcsid[] = "@(#)$Id: ip_htable.c,v 2.34.2.4 2005/11/13 15:38:37 darrenr Exp $";
#endif
#ifdef IPFILTER_LOOKUP
@ -104,8 +102,10 @@ iplookupop_t *op;
int err, i, unit;
KMALLOC(iph, iphtable_t *);
if (iph == NULL)
if (iph == NULL) {
ipht_nomem[op->iplo_unit]++;
return ENOMEM;
}
err = COPYIN(op->iplo_struct, iph, sizeof(*iph));
if (err != 0) {
@ -139,12 +139,9 @@ iplookupop_t *op;
sizeof(oiph->iph_name)) == 0)
break;
} while (oiph != NULL);
(void)strncpy(iph->iph_name, name, sizeof(iph->iph_name));
err = COPYOUT(iph, op->iplo_struct, sizeof(*iph));
if (err != 0) {
KFREE(iph);
return EFAULT;
}
(void)strncpy(op->iplo_name, name, sizeof(op->iplo_name));
iph->iph_type |= IPHASH_ANON;
}

2
sys/contrib/ipfilter/netinet/ip_htable.h
View file

@ -1,5 +1,3 @@
/* $FreeBSD$ */
#ifndef __IP_HTABLE_H__
#define __IP_HTABLE_H__

8
sys/contrib/ipfilter/netinet/ip_ipsec_pxy.c
View file

@ -1,5 +1,3 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2001-2003 by Darren Reed
*
@ -8,7 +6,7 @@
* Simple ISAKMP transparent proxy for in-kernel use. For use with the NAT
* code.
*
* Id: ip_ipsec_pxy.c,v 2.20.2.6 2005/03/28 10:47:53 darrenr Exp
* $Id: ip_ipsec_pxy.c,v 2.20.2.7 2005/08/20 13:48:22 darrenr Exp $
*
*/
#define IPF_IPSEC_PROXY
@ -96,8 +94,8 @@ nat_t *nat;
mb_t *m;
ip_t *ip;
off = fin->fin_plen - fin->fin_dlen + fin->fin_ipoff;
bzero(ipsec_buffer, sizeof(ipsec_buffer));
off = fin->fin_hlen + sizeof(udphdr_t);
ip = fin->fin_ip;
m = fin->fin_m;
@ -287,8 +285,8 @@ nat_t *nat;
if ((fin->fin_dlen < sizeof(cookies)) || (fin->fin_flx & FI_FRAG))
return -1;
off = fin->fin_plen - fin->fin_dlen + fin->fin_ipoff;
ipsec = aps->aps_data;
off = fin->fin_hlen + sizeof(udphdr_t);
m = fin->fin_m;
COPYDATA(m, off, sizeof(cookies), (char *)cookies);

6
sys/contrib/ipfilter/netinet/ip_irc_pxy.c
View file

@ -1,11 +1,9 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2000-2003 Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: ip_irc_pxy.c,v 2.39.2.4 2005/02/04 10:22:55 darrenr Exp
* $Id: ip_irc_pxy.c,v 2.39.2.5 2005/12/04 23:39:27 darrenr Exp $
*/
#define IPF_IRC_PROXY
@ -50,7 +48,7 @@ void ippr_irc_fini()
}
char *ippr_irc_dcctypes[] = {
const char *ippr_irc_dcctypes[] = {
"CHAT ", /* CHAT chat ipnumber portnumber */
"SEND ", /* SEND filename ipnumber portnumber */
"MOVE ",

16
sys/contrib/ipfilter/netinet/ip_log.c
View file

@ -1,11 +1,9 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1997-2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: ip_log.c,v 2.75.2.6 2004/10/16 07:59:27 darrenr Exp
* $Id: ip_log.c,v 2.75.2.7 2005/06/11 07:47:44 darrenr Exp $
*/
#include <sys/param.h>
#if defined(KERNEL) || defined(_KERNEL)
@ -416,9 +414,7 @@ int *types, cnt;
iplog_t *ipl;
size_t len;
int i;
# if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
int s;
# endif
SPL_INT(s);
/*
* Check to see if this log record has a CRC which matches the last
@ -538,9 +534,7 @@ struct uio *uio;
size_t dlen, copied;
int error = 0;
iplog_t *ipl;
# if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
int s;
# endif
SPL_INT(s);
/*
* Sanity checks. Make sure the minor # is valid and we're copying
@ -652,9 +646,7 @@ minor_t unit;
{
iplog_t *ipl;
int used;
# if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
int s;
# endif
SPL_INT(s);
SPL_NET(s);
MUTEX_ENTER(&ipl_mutex);

19
sys/contrib/ipfilter/netinet/ip_lookup.c
View file

@ -1,5 +1,3 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002-2003 by Darren Reed.
*
@ -35,7 +33,7 @@ struct file;
# undef _KERNEL
#endif
#include <sys/socket.h>
#if (defined(__osf__) || defined(__hpux) || defined(__sgi)) && defined(_KERNEL)
#if (defined(__osf__) || defined(AIX) || defined(__hpux) || defined(__sgi)) && defined(_KERNEL)
# ifdef __osf__
# include <net/radix.h>
# endif
@ -63,7 +61,7 @@ struct file;
/* END OF INCLUDES */
#if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_lookup.c,v 2.35.2.5 2004/07/06 11:16:25 darrenr Exp";
static const char rcsid[] = "@(#)$Id: ip_lookup.c,v 2.35.2.8 2005/11/13 15:35:45 darrenr Exp $";
#endif
#ifdef IPFILTER_LOOKUP
@ -137,9 +135,7 @@ ioctlcmd_t cmd;
int mode;
{
int err;
# if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
int s;
# endif
SPL_INT(s);
mode = mode; /* LINT */
@ -370,6 +366,15 @@ caddr_t data;
err = EINVAL;
break;
}
/*
* For anonymous pools, copy back the operation struct because in the
* case of success it will contain the new table's name.
*/
if ((err == 0) && ((op.iplo_arg & IPOOL_ANON) != 0)) {
BCOPYOUT(&op, data, sizeof(op));
}
return err;
}

4
sys/contrib/ipfilter/netinet/ip_lookup.h
View file

@ -1,10 +1,8 @@
/* $FreeBSD$ */
#ifndef __IP_LOOKUP_H__
#define __IP_LOOKUP_H__
#if defined(__STDC__) || defined(__GNUC__)
#if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
# define SIOCLOOKUPADDTABLE _IOWR('r', 60, struct iplookupop)
# define SIOCLOOKUPDELTABLE _IOWR('r', 61, struct iplookupop)
# define SIOCLOOKUPSTAT _IOWR('r', 64, struct iplookupop)

105
sys/contrib/ipfilter/netinet/ip_nat.c
View file

@ -1,5 +1,3 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1995-2003 by Darren Reed.
*
@ -37,7 +35,9 @@ struct file;
#else
# include <sys/ioctl.h>
#endif
#include <sys/fcntl.h>
#if !defined(AIX)
# include <sys/fcntl.h>
#endif
#if !defined(linux)
# include <sys/protosw.h>
#endif
@ -107,7 +107,7 @@ extern struct ifnet vpnif;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_nat.c,v 2.195.2.38 2005/03/28 11:09:54 darrenr Exp";
static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.195.2.47 2005/11/14 17:13:35 darrenr Exp $";
#endif
@ -186,15 +186,15 @@ static INLINE int nat_newrdr __P((fr_info_t *, nat_t *, natinfo_t *));
static hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr,
struct in_addr, struct in_addr, u_32_t));
static void nat_hostmapdel __P((struct hostmap *));
static INLINE int nat_icmpquerytype4 __P((int));
static int nat_icmpquerytype4 __P((int));
static int nat_siocaddnat __P((ipnat_t *, ipnat_t **, int));
static void nat_siocdelnat __P((ipnat_t *, ipnat_t **, int));
static INLINE int nat_finalise __P((fr_info_t *, nat_t *, natinfo_t *,
static int nat_finalise __P((fr_info_t *, nat_t *, natinfo_t *,
tcphdr_t *, nat_t **, int));
static void nat_resolverule __P((ipnat_t *));
static nat_t *fr_natclone __P((fr_info_t *, nat_t *));
static void nat_mssclamp __P((tcphdr_t *, u_32_t, fr_info_t *, u_short *));
static INLINE int nat_wildok __P((nat_t *, int, int, int, int));
static int nat_wildok __P((nat_t *, int, int, int, int));
/* ------------------------------------------------------------------------ */
@ -799,10 +799,14 @@ int mode;
error = appr_ioctl(data, cmd, mode);
break;
case SIOCSTLCK :
fr_lock(data, &fr_nat_lock);
if (!(mode & FWRITE)) {
error = EPERM;
} else {
fr_lock(data, &fr_nat_lock);
}
break;
case SIOCSTPUT :
if (fr_nat_lock) {
if ((mode & FWRITE) != 0) {
error = fr_natputent(data, getlock);
} else {
error = EACCES;
@ -1346,8 +1350,15 @@ int getlock;
fin.fin_data[0] = ntohs(nat->nat_oport);
fin.fin_data[1] = ntohs(nat->nat_outport);
fin.fin_ifp = nat->nat_ifps[1];
if (nat_inlookup(&fin, 0, fin.fin_p, nat->nat_oip,
nat->nat_inip) != NULL) {
if (getlock) {
READ_ENTER(&ipf_nat);
}
n = nat_inlookup(&fin, 0, fin.fin_p, nat->nat_oip,
nat->nat_inip);
if (getlock) {
RWLOCK_EXIT(&ipf_nat);
}
if (n != NULL) {
error = EEXIST;
goto junkput;
}
@ -1355,8 +1366,15 @@ int getlock;
fin.fin_data[0] = ntohs(nat->nat_outport);
fin.fin_data[1] = ntohs(nat->nat_oport);
fin.fin_ifp = nat->nat_ifps[0];
if (nat_outlookup(&fin, 0, fin.fin_p, nat->nat_outip,
nat->nat_oip) != NULL) {
if (getlock) {
READ_ENTER(&ipf_nat);
}
n = nat_outlookup(&fin, 0, fin.fin_p, nat->nat_outip,
nat->nat_oip);
if (getlock) {
RWLOCK_EXIT(&ipf_nat);
}
if (n != NULL) {
error = EEXIST;
goto junkput;
}
@ -1420,7 +1438,9 @@ int getlock;
MUTEX_NUKE(&fr->fr_lock);
MUTEX_INIT(&fr->fr_lock, "nat-filter rule lock");
} else {
READ_ENTER(&ipf_nat);
if (getlock) {
READ_ENTER(&ipf_nat);
}
for (n = nat_instances; n; n = n->nat_next)
if (n->nat_fr == fr)
break;
@ -1430,7 +1450,9 @@ int getlock;
fr->fr_ref++;
MUTEX_EXIT(&fr->fr_lock);
}
RWLOCK_EXIT(&ipf_nat);
if (getlock) {
RWLOCK_EXIT(&ipf_nat);
}
if (!n) {
error = ESRCH;
@ -1981,8 +2003,8 @@ natinfo_t *ni;
* packet might match a different one to the previous connection but
* we want the same destination to be used.
*/
if ((np->in_flags & (IPN_ROUNDR|IPN_STICKY)) ==
(IPN_ROUNDR|IPN_STICKY)) {
if (((np->in_flags & (IPN_ROUNDR|IPN_SPLIT)) != 0) &&
((np->in_flags & IPN_STICKY) != 0)) {
hm = nat_hostmap(NULL, fin->fin_src, fin->fin_dst, in,
(u_32_t)dport);
if (hm != NULL) {
@ -2003,7 +2025,7 @@ natinfo_t *ni;
in.s_addr = np->in_nip;
if ((np->in_flags & (IPN_ROUNDR|IPN_STICKY)) == IPN_STICKY) {
hm = nat_hostmap(np, fin->fin_src, fin->fin_dst,
hm = nat_hostmap(NULL, fin->fin_src, fin->fin_dst,
in, (u_32_t)dport);
if (hm != NULL) {
in.s_addr = hm->hm_mapip.s_addr;
@ -2076,6 +2098,9 @@ natinfo_t *ni;
nat->nat_inip.s_addr = htonl(in.s_addr);
nat->nat_outip = fin->fin_dst;
nat->nat_oip = fin->fin_src;
if ((nat->nat_hm == NULL) && ((np->in_flags & IPN_STICKY) != 0))
nat->nat_hm = nat_hostmap(np, fin->fin_src, fin->fin_dst, in,
(u_32_t)dport);
ni->nai_sum1 = LONG_SUM(ntohl(fin->fin_daddr)) + ntohs(dport);
ni->nai_sum2 = LONG_SUM(in.s_addr) + ntohs(nport);
@ -2337,7 +2362,7 @@ int direction;
/* for both IPv4 and IPv6. */
/* ------------------------------------------------------------------------ */
/*ARGSUSED*/
static INLINE int nat_finalise(fin, nat, ni, tcp, natsave, direction)
static int nat_finalise(fin, nat, ni, tcp, natsave, direction)
fr_info_t *fin;
nat_t *nat;
natinfo_t *ni;
@ -2362,8 +2387,6 @@ int direction;
nat->nat_ptr = np;
nat->nat_p = fin->fin_p;
nat->nat_mssclamp = np->in_mssclamp;
fr = fin->fin_fr;
nat->nat_fr = fr;
if ((np->in_apr != NULL) && ((ni->nai_flags & NAT_SLAVE) == 0))
if (appr_new(fin, nat) == -1)
@ -2373,6 +2396,8 @@ int direction;
if (nat_logging)
nat_log(nat, (u_int)np->in_redir);
np->in_use++;
fr = fin->fin_fr;
nat->nat_fr = fr;
if (fr != NULL) {
MUTEX_ENTER(&fr->fr_lock);
fr->fr_ref++;
@ -2514,8 +2539,7 @@ int dir;
* Only a basic IP header (no options) should be with an ICMP error
* header. Also, if it's not an error type, then return.
*/
if ((fin->fin_hlen != sizeof(ip_t)) ||
!fr_icmp4errortype(type))
if ((fin->fin_hlen != sizeof(ip_t)) || !(fin->fin_flx & FI_ICMPERR))
return NULL;
/*
@ -3805,8 +3829,15 @@ u_32_t nflags;
CALC_SUMD(s1, s2, sumd);
fix_outcksum(fin, &fin->fin_ip->ip_sum, sumd);
}
#if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi) || defined(linux)
#if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi) || \
defined(linux) || defined(BRIDGE_IPF)
else {
/*
* Strictly speaking, this isn't necessary on BSD
* kernels because they do checksum calculation after
* this code has run BUT if ipfilter is being used
* to do NAT as a bridge, that code doesn't exist.
*/
if (nat->nat_dir == NAT_OUTBOUND)
fix_outcksum(fin, &fin->fin_ip->ip_sum,
nat->nat_ipsumd);
@ -4315,9 +4346,7 @@ void fr_natexpire()
{
ipftq_t *ifq, *ifqnext;
ipftqent_t *tqe, *tqn;
#if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
int s;
#endif
SPL_INT(s);
int i;
SPL_NET(s);
@ -4372,9 +4401,7 @@ void *ifp;
ipnat_t *n;
nat_t *nat;
void *ifp2;
#if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
int s;
#endif
SPL_INT(s);
if (fr_running <= 0)
return;
@ -4456,7 +4483,7 @@ void *ifp;
/* Tests to see if the ICMP type number passed is a query/response type or */
/* not. */
/* ------------------------------------------------------------------------ */
static INLINE int nat_icmpquerytype4(icmptype)
static int nat_icmpquerytype4(icmptype)
int icmptype;
{
@ -4609,9 +4636,20 @@ nat_t *nat;
MUTEX_NUKE(&clone->nat_lock);
clone->nat_aps = NULL;
/*
* Initialize all these so that nat_delete() doesn't cause a crash.
*/
clone->nat_tqe.tqe_pnext = NULL;
clone->nat_tqe.tqe_next = NULL;
clone->nat_tqe.tqe_ifq = NULL;
clone->nat_tqe.tqe_parent = clone;
clone->nat_flags &= ~SI_CLONE;
clone->nat_flags |= SI_CLONED;
if (clone->nat_hm)
clone->nat_hm->hm_ref++;
if (nat_insert(clone, fin->fin_rev) == -1) {
KFREE(clone);
@ -4630,14 +4668,13 @@ nat_t *nat;
MUTEX_EXIT(&fr->fr_lock);
}
/*
* Because the clone is created outside the normal loop of things and
* TCP has special needs in terms of state, initialise the timeout
* state of the new NAT from here.
*/
if (clone->nat_p == IPPROTO_TCP) {
(void) fr_tcp_age(&clone->nat_tqe, fin, nat_tqb, \
(void) fr_tcp_age(&clone->nat_tqe, fin, nat_tqb,
clone->nat_flags);
}
#ifdef IPFILTER_SYNC
@ -4662,7 +4699,7 @@ nat_t *nat;
/* Use NAT entry and packet direction to determine which combination of */
/* wildcard flags should be used. */
/* ------------------------------------------------------------------------ */
static INLINE int nat_wildok(nat, sport, dport, flags, dir)
static int nat_wildok(nat, sport, dport, flags, dir)
nat_t *nat;
int sport;
int dport;

9
sys/contrib/ipfilter/netinet/ip_nat.h
View file

@ -1,12 +1,10 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1995-2001, 2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_nat.h 1.5 2/4/96
* Id: ip_nat.h,v 2.90.2.9 2005/03/28 11:09:55 darrenr Exp
* $Id: ip_nat.h,v 2.90.2.11 2005/06/18 02:41:32 darrenr Exp $
*/
#ifndef __IP_NAT_H__
@ -16,18 +14,16 @@
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif
#if defined(__STDC__) || defined(__GNUC__)
#if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
#define SIOCADNAT _IOW('r', 60, struct ipfobj)
#define SIOCRMNAT _IOW('r', 61, struct ipfobj)
#define SIOCGNATS _IOWR('r', 62, struct ipfobj)
#define SIOCGNATL _IOWR('r', 63, struct ipfobj)
#define SIOCPROXY _IOWR('r', 64, struct ap_control)
#else
#define SIOCADNAT _IOW(r, 60, struct ipfobj)
#define SIOCRMNAT _IOW(r, 61, struct ipfobj)
#define SIOCGNATS _IOWR(r, 62, struct ipfobj)
#define SIOCGNATL _IOWR(r, 63, struct ipfobj)
#define SIOCPROXY _IOWR(r, 64, struct ap_control)
#endif
#undef LARGE_NAT /* define this if you're setting up a system to NAT
@ -297,6 +293,7 @@ typedef struct natget {
} natget_t;
#undef tr_flags
typedef struct nattrpnt {
struct in_addr tr_dstip; /* real destination IP# */
struct in_addr tr_srcip; /* real source IP# */

16
sys/contrib/ipfilter/netinet/ip_netbios_pxy.c
View file

@ -1,9 +1,7 @@
/* $FreeBSD$ */
/*
* Simple netbios-dgm transparent proxy for in-kernel use.
* For use with the NAT code.
* Id: ip_netbios_pxy.c,v 2.8 2003/12/01 02:52:16 darrenr Exp
* $Id: ip_netbios_pxy.c,v 2.8.2.1 2005/08/20 13:48:23 darrenr Exp $
*/
/*-
@ -31,7 +29,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* Id: ip_netbios_pxy.c,v 2.8 2003/12/01 02:52:16 darrenr Exp
* $Id: ip_netbios_pxy.c,v 2.8.2.1 2005/08/20 13:48:23 darrenr Exp $
*/
#define IPF_NETBIOS_PROXY
@ -82,19 +80,17 @@ nat_t *nat;
aps = aps; /* LINT */
nat = nat; /* LINT */
ip = fin->fin_ip;
m = *(mb_t **)fin->fin_mp;
off = fin->fin_hlen + sizeof(udphdr_t);
dlen = M_LEN(m);
dlen -= off;
m = fin->fin_m;
dlen = fin->fin_dlen - sizeof(*udp);
/*
* no net bios datagram could possibly be shorter than this
*/
if (dlen < 11)
return 0;
ip = fin->fin_ip;
udp = (udphdr_t *)fin->fin_dp;
off = (char *)udp - (char *)ip + sizeof(*udp) + fin->fin_ipoff;
/*
* move past the

12
sys/contrib/ipfilter/netinet/ip_pool.c
View file

@ -1,5 +1,3 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
*
@ -55,7 +53,8 @@ struct file;
# include <sys/malloc.h>
#endif
#if (defined(__osf__) || defined(__hpux) || defined(__sgi)) && defined(_KERNEL)
#if defined(_KERNEL) && (defined(__osf__) || defined(AIX) || \
defined(__hpux) || defined(__sgi))
# ifdef __osf__
# include <net/radix.h>
# endif
@ -79,7 +78,7 @@ static int rn_freenode __P((struct radix_node *, void *));
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.12 2005/02/01 04:04:46 darrenr Exp";
static const char rcsid[] = "@(#)$Id: ip_pool.c,v 2.55.2.15 2005/11/13 15:38:37 darrenr Exp $";
#endif
#ifdef IPFILTER_LOOKUP
@ -356,11 +355,9 @@ ip_pool_t *ipo;
addrfamily_t *addr, *mask;
{
struct radix_node *n;
#ifdef USE_SPL
int s;
SPL_INT(s);
SPL_NET(s);
#endif
RADIX_NODE_HEAD_LOCK(ipo->ipo_head);
n = ipo->ipo_head->rnh_lookup(addr, mask, ipo->ipo_head);
RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head);
@ -550,6 +547,7 @@ iplookupop_t *op;
}
(void)strncpy(h->ipo_name, name, sizeof(h->ipo_name));
(void)strncpy(op->iplo_name, name, sizeof(op->iplo_name));
} else {
(void) strncpy(h->ipo_name, op->iplo_name, sizeof(h->ipo_name));
}

6
sys/contrib/ipfilter/netinet/ip_pool.h
View file

@ -1,18 +1,16 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: ip_pool.h,v 2.26.2.2 2004/03/23 12:44:34 darrenr Exp
* $Id: ip_pool.h,v 2.26.2.3 2005/06/12 07:18:27 darrenr Exp $
*/
#ifndef __IP_POOL_H__
#define __IP_POOL_H__
#if defined(_KERNEL) && !defined(__osf__) && !defined(__hpux) && \
!defined(linux) && !defined(sun)
!defined(linux) && !defined(sun) && !defined(AIX)
# include <net/radix.h>
extern void rn_freehead __P((struct radix_node_head *));
# define FreeS(p, z) KFREES(p, z)

8
sys/contrib/ipfilter/netinet/ip_pptp_pxy.c
View file

@ -1,12 +1,10 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002-2003 by Darren Reed
*
* Simple PPTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
* Id: ip_pptp_pxy.c,v 2.10.2.9 2005/03/16 18:17:34 darrenr Exp
* $Id: ip_pptp_pxy.c,v 2.10.2.11 2005/12/04 23:39:27 darrenr Exp $
*
*/
#define IPF_PPTP_PROXY
@ -89,10 +87,8 @@ nat_t *nat;
pptp_pxy_t *pptp;
ipnat_t *ipn;
ip_t *ip;
int off;
ip = fin->fin_ip;
off = fin->fin_hlen + sizeof(udphdr_t);
if (nat_outlookup(fin, 0, IPPROTO_GRE, nat->nat_inip,
ip->ip_dst) != NULL) {
@ -238,7 +234,7 @@ nat_t *nat;
pptp_pxy_t *pptp;
int rev;
{
static char *funcname = "ippr_pptp_nextmessage";
static const char *funcname = "ippr_pptp_nextmessage";
pptp_side_t *pptps;
u_32_t start, end;
pptp_hdr_t *hdr;

14
sys/contrib/ipfilter/netinet/ip_proxy.c
View file

@ -1,5 +1,3 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1997-2003 by Darren Reed.
*
@ -16,7 +14,9 @@
#include <sys/param.h>
#include <sys/time.h>
#include <sys/file.h>
#include <sys/fcntl.h>
#if !defined(AIX)
# include <sys/fcntl.h>
#endif
#if !defined(_KERNEL) && !defined(__KERNEL__)
# include <stdio.h>
# include <string.h>
@ -35,7 +35,8 @@ struct file;
#include <sys/socket.h>
#if defined(_KERNEL)
# if !defined(__NetBSD__) && !defined(sun) && !defined(__osf__) && \
!defined(__OpenBSD__) && !defined(__hpux) && !defined(__sgi)
!defined(__OpenBSD__) && !defined(__hpux) && !defined(__sgi) && \
!defined(AIX)
# include <sys/ctype.h>
# endif
# include <sys/systm.h>
@ -94,9 +95,6 @@ struct file;
# include "netinet/ip_irc_pxy.c"
# include "netinet/ip_raudio_pxy.c"
# include "netinet/ip_h323_pxy.c"
# ifdef IPFILTER_PRO
# include "netinet/ip_msnrpc_pxy.c"
# endif
# include "netinet/ip_netbios_pxy.c"
#endif
#include "netinet/ip_ipsec_pxy.c"
@ -105,7 +103,7 @@ struct file;
/* END OF INCLUDES */
#if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.62.2.12 2005/03/03 14:28:24 darrenr Exp";
static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.62.2.14 2005/06/18 02:41:33 darrenr Exp $";
#endif
static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int ));

21
sys/contrib/ipfilter/netinet/ip_proxy.h
View file

@ -1,11 +1,9 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1997-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: ip_proxy.h,v 2.31.2.2 2005/03/12 19:33:48 darrenr Exp
* $Id: ip_proxy.h,v 2.31.2.3 2005/06/18 02:41:33 darrenr Exp $
*/
#ifndef __IP_PROXY_H__
@ -15,6 +13,12 @@
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif
#if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
#define SIOCPROXY _IOWR('r', 64, struct ap_control)
#else
#define SIOCPROXY _IOWR(r, 64, struct ap_control)
#endif
#ifndef APR_LABELLEN
#define APR_LABELLEN 16
#endif
@ -22,15 +26,16 @@
struct nat;
struct ipnat;
struct ipstate;
typedef struct ap_tcp {
u_short apt_sport; /* source port */
u_short apt_dport; /* destination port */
short apt_sel[2]; /* {seq,ack}{off,min} set selector */
short apt_seqoff[2]; /* sequence # difference */
tcp_seq apt_seqmin[2]; /* don't change seq-off until after this */
u_32_t apt_seqmin[2]; /* don't change seq-off until after this */
short apt_ackoff[2]; /* sequence # difference */
tcp_seq apt_ackmin[2]; /* don't change seq-off until after this */
u_32_t apt_ackmin[2]; /* don't change seq-off until after this */
u_char apt_state[2]; /* connection state */
} ap_tcp_t;
@ -197,7 +202,7 @@ typedef struct raudio_s {
u_32_t rap_sbf; /* flag to indicate which of the 19 bytes have
* been filled
*/
tcp_seq rap_sseq;
u_32_t rap_sseq;
} raudio_t;
#define RA_ID_END 0
@ -233,7 +238,7 @@ typedef struct ipsec_pxy {
int ipsc_rckset;
ipnat_t ipsc_rule;
nat_t *ipsc_nat;
ipstate_t *ipsc_state;
struct ipstate *ipsc_state;
} ipsec_pxy_t;
/*
@ -253,7 +258,7 @@ typedef struct pptp_side {
typedef struct pptp_pxy {
ipnat_t pptp_rule;
nat_t *pptp_nat;
ipstate_t *pptp_state;
struct ipstate *pptp_state;
u_short pptp_call[2];
pptp_side_t pptp_side[2];
} pptp_pxy_t;

4
sys/contrib/ipfilter/netinet/ip_raudio_pxy.c
View file

@ -1,11 +1,9 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1998-2003 by Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: ip_raudio_pxy.c,v 1.40.2.3 2005/02/04 10:22:55 darrenr Exp
* $Id: ip_raudio_pxy.c,v 1.40.2.3 2005/02/04 10:22:55 darrenr Exp $
*/
#define IPF_RAUDIO_PROXY

6
sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c
View file

@ -1,11 +1,9 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1998-2003 by Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: ip_rcmd_pxy.c,v 1.41.2.4 2005/02/04 10:22:55 darrenr Exp
* $Id: ip_rcmd_pxy.c,v 1.41.2.5 2005/10/02 04:20:07 darrenr Exp $
*
* Simple RCMD transparent proxy for in-kernel use. For use with the NAT
* code.
@ -153,6 +151,8 @@ nat_t *nat;
* other way.
*/
bcopy((char *)fin, (char *)&fi, sizeof(fi));
fi.fin_state = NULL;
fi.fin_nat = NULL;
fi.fin_flx |= FI_IGNORE;
fi.fin_data[0] = sp;
fi.fin_data[1] = 0;

4
sys/contrib/ipfilter/netinet/ip_rpcb_pxy.c
View file

@ -1,5 +1,3 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002-2003 by Ryan Beasley <ryanb@goddamnbastard.org>
*
@ -39,7 +37,7 @@
* o The enclosed hack of STREAMS support is pretty sick and most likely
* broken.
*
* Id: ip_rpcb_pxy.c,v 2.25.2.3 2005/02/04 10:22:56 darrenr Exp
* $Id: ip_rpcb_pxy.c,v 2.25.2.3 2005/02/04 10:22:56 darrenr Exp $
*/
#define IPF_RPCB_PROXY

10
sys/contrib/ipfilter/netinet/ip_scan.c
View file

@ -1,5 +1,3 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
*
@ -34,7 +32,7 @@ struct file;
# endif
#endif
#include <sys/socket.h>
#if !defined(__hpux) && !defined(__osf__) && !defined(linux)
#if !defined(__hpux) && !defined(__osf__) && !defined(linux) && !defined(AIX)
# include <sys/ioccom.h>
#endif
#ifdef __FreeBSD__
@ -60,7 +58,7 @@ struct file;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_scan.c,v 2.40.2.2 2005/01/18 10:13:16 darrenr Exp";
static const char rcsid[] = "@(#)$Id: ip_scan.c,v 2.40.2.4 2005/08/20 13:48:24 darrenr Exp $";
#endif
#ifdef IPFILTER_SCAN /* endif at bottom of file */
@ -539,8 +537,8 @@ ipstate_t *is;
j = 0xffff >> (16 - dlen);
i = (0xffff & j) << off;
#ifdef _KERNEL
COPYDATA(*(mb_t **)fin->fin_mp, fin->fin_hlen + thoff, dlen,
(caddr_t)is->is_sbuf[rv] + off);
COPYDATA(*(mb_t **)fin->fin_mp, fin->fin_plen - fin->fin_dlen + thoff,
dlen, (caddr_t)is->is_sbuf[rv] + off);
#endif
is->is_smsk[rv] |= i;
for (j = 0, i = is->is_smsk[rv]; i & 1; i >>= 1)

6
sys/contrib/ipfilter/netinet/ip_scan.h
View file

@ -1,12 +1,10 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
* Id: ip_scan.h,v 2.9 2003/07/25 22:05:01 darrenr Exp
* $Id: ip_scan.h,v 2.9.2.1 2005/06/12 07:18:29 darrenr Exp $
*/
#ifndef __IP_SCAN_H__
@ -27,7 +25,7 @@ struct ip;
struct ipstate;
#if defined(__STDC__) || defined(__GNUC__)
#if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
# define SIOCADSCA _IOWR('r', 60, struct ipscan *)
# define SIOCRMSCA _IOWR('r', 61, struct ipscan *)
# define SIOCGSCST _IOWR('r', 62, struct ipscan *)

256
sys/contrib/ipfilter/netinet/ip_state.c
View file

@ -1,5 +1,3 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1995-2003 by Darren Reed.
*
@ -109,7 +107,7 @@ struct file;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_state.c,v 2.186.2.29 2005/03/28 10:47:54 darrenr Exp";
static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.186.2.36 2005/12/04 22:25:36 darrenr Exp $";
#endif
static ipstate_t **ips_table = NULL;
@ -507,13 +505,17 @@ int mode;
* means no packets match).
*/
case SIOCSTLCK :
fr_lock(data, &fr_state_lock);
if (!(mode & FWRITE)) {
error = EPERM;
} else {
fr_lock(data, &fr_state_lock);
}
break;
/*
* Add an entry to the current state table.
*/
case SIOCSTPUT :
if (!fr_state_lock) {
if (!fr_state_lock || !(mode &FWRITE)) {
error = EACCES;
break;
}
@ -635,6 +637,7 @@ caddr_t data;
if (fr == NULL) {
READ_ENTER(&ipf_state);
fr_stinsert(isn, 0);
MUTEX_EXIT(&isn->is_lock);
RWLOCK_EXIT(&ipf_state);
return 0;
}
@ -682,6 +685,7 @@ caddr_t data;
}
READ_ENTER(&ipf_state);
fr_stinsert(isn, 0);
MUTEX_EXIT(&isn->is_lock);
RWLOCK_EXIT(&ipf_state);
} else {
@ -689,6 +693,7 @@ caddr_t data;
for (is = ips_list; is; is = is->is_next)
if (is->is_rule == fr) {
fr_stinsert(isn, 0);
MUTEX_EXIT(&isn->is_lock);
break;
}
@ -716,6 +721,7 @@ caddr_t data;
/* to pointers and adjusts running stats for the hash table as appropriate. */
/* */
/* Locking: it is assumed that some kind of lock on ipf_state is held. */
/* Exits with is_lock initialised and held. */
/* ------------------------------------------------------------------------ */
void fr_stinsert(is, rev)
ipstate_t *is;
@ -780,7 +786,6 @@ int rev;
MUTEX_EXIT(&ipf_stinsert);
fr_setstatequeue(is, rev);
MUTEX_EXIT(&is->is_lock);
}
@ -830,6 +835,7 @@ u_int flags;
* to it, then schedule an automatic flush in case we can clear out
* some "dead old wood".
*/
MUTEX_ENTER(&fr->fr_lock);
if ((fr != NULL) && (fr->fr_statemax != 0) &&
(fr->fr_statecnt >= fr->fr_statemax)) {
MUTEX_EXIT(&fr->fr_lock);
@ -837,6 +843,8 @@ u_int flags;
fr_state_doflush = 1;
return NULL;
}
fr->fr_statecnt++;
MUTEX_EXIT(&fr->fr_lock);
pass = (fr == NULL) ? 0 : fr->fr_flags;
@ -979,9 +987,9 @@ u_int flags;
TH_SYN &&
(TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2))) {
if (fr_tcpoptions(fin, tcp,
&is->is_tcp.ts_data[0]))
is->is_swinflags = TCP_WSCALE_SEEN|
TCP_WSCALE_FIRST;
&is->is_tcp.ts_data[0]) == -1) {
fin->fin_flx |= FI_BAD;
}
}
if ((fin->fin_out != 0) && (pass & FR_NEWISN) != 0) {
@ -1038,16 +1046,16 @@ u_int flags;
break;
}
if (is != NULL)
return NULL;
goto cantaddstate;
if (ips_stats.iss_bucketlen[hv] >= fr_state_maxbucket) {
ATOMIC_INCL(ips_stats.iss_bucketfull);
return NULL;
goto cantaddstate;
}
KMALLOC(is, ipstate_t *);
if (is == NULL) {
ATOMIC_INCL(ips_stats.iss_nomem);
return NULL;
goto cantaddstate;
}
bcopy((char *)&ips, (char *)is, sizeof(*is));
/*
@ -1124,8 +1132,14 @@ u_int flags;
* this may change.
*/
is->is_v = fin->fin_v;
is->is_opt = fin->fin_optmsk;
is->is_optmsk = 0xffffffff;
is->is_opt[0] = fin->fin_optmsk;
is->is_optmsk[0] = 0xffffffff;
is->is_optmsk[1] = 0xffffffff;
if (is->is_v == 6) {
is->is_opt[0] &= ~0x8;
is->is_optmsk[0] &= ~0x8;
is->is_optmsk[1] &= ~0x8;
}
is->is_sec = fin->fin_secmsk;
is->is_secmsk = 0xffff;
is->is_auth = fin->fin_auth;
@ -1150,13 +1164,14 @@ u_int flags;
* timer on it as we'll never see an error if it fails to
* connect.
*/
MUTEX_ENTER(&is->is_lock);
(void) fr_tcp_age(&is->is_sti, fin, ips_tqtqb, is->is_flags);
MUTEX_EXIT(&is->is_lock);
#ifdef IPFILTER_SCAN
if ((is->is_flags & SI_CLONE) == 0)
(void) ipsc_attachis(is);
#endif
} else {
MUTEX_EXIT(&is->is_lock);
}
#ifdef IPFILTER_SYNC
if ((is->is_flags & IS_STATESYNC) && ((is->is_flags & SI_CLONE) == 0))
@ -1173,12 +1188,21 @@ u_int flags;
(void) fr_newfrag(fin, pass ^ FR_KEEPSTATE);
return is;
cantaddstate:
if (fr != NULL) {
MUTEX_ENTER(&fr->fr_lock);
fr->fr_statecnt--;
MUTEX_EXIT(&fr->fr_lock);
}
return NULL;
}
/* ------------------------------------------------------------------------ */
/* Function: fr_tcpoptions */
/* Returns: int - 1 == packet matches state entry, 0 == it does not */
/* Returns: int - 1 == packet matches state entry, 0 == it does not, */
/* -1 == packet has bad TCP options data */
/* Parameters: fin(I) - pointer to packet information */
/* tcp(I) - pointer to TCP packet header */
/* td(I) - pointer to TCP data held as part of the state */
@ -1195,13 +1219,14 @@ tcpdata_t *td;
char buf[64], *s, opt;
mb_t *m = NULL;
off = fin->fin_hlen + sizeof(*tcp);
len = (TCP_OFF(tcp) << 2) - sizeof(*tcp);
if (fin->fin_plen < off + len)
len = (TCP_OFF(tcp) << 2);
if (fin->fin_dlen < len)
return 0;
len -= sizeof(*tcp);
off = fin->fin_plen - fin->fin_dlen + sizeof(*tcp) + fin->fin_ipoff;
m = fin->fin_m;
off += fin->fin_ipoff;
mlen = MSGDSIZE(m) - off;
if (len > mlen) {
len = mlen;
@ -1239,7 +1264,10 @@ tcpdata_t *td;
else if (i < 0)
i = 0;
td->td_winscale = i;
}
td->td_winflags |= TCP_WSCALE_SEEN|
TCP_WSCALE_FIRST;
} else
retval = -1;
break;
case TCPOPT_MAXSEG :
/*
@ -1251,7 +1279,14 @@ tcpdata_t *td;
i <<= 8;
i += (int)*(s + 3);
td->td_maxseg = i;
}
} else
retval = -1;
break;
case TCPOPT_SACK_PERMITTED :
if (ol == TCPOLEN_SACK_PERMITTED)
td->td_winflags |= TCP_SACK_PERMIT;
else
retval = -1;
break;
}
}
@ -1322,24 +1357,22 @@ ipstate_t *is;
is->is_s0[source] = ntohl(tcp->th_ack);
is->is_s0[!source] = ntohl(tcp->th_seq) + 1;
if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2)) &&
tdata->td_winscale) {
if (fr_tcpoptions(fin, tcp, fdata)) {
fdata->td_winflags = TCP_WSCALE_SEEN|
TCP_WSCALE_FIRST;
} else {
if (!fdata->td_winscale)
tdata->td_winscale = 0;
(tdata->td_winflags & TCP_WSCALE_SEEN)) {
if (fr_tcpoptions(fin, tcp, fdata) == -1)
fin->fin_flx |= FI_BAD;
if (!(fdata->td_winflags & TCP_WSCALE_SEEN)) {
fdata->td_winscale = 0;
tdata->td_winscale = 0;
}
}
if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN))
fr_checknewisn(fin, is);
} else if (flags == TH_SYN) {
is->is_s0[source] = ntohl(tcp->th_seq) + 1;
if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2)))
if (fr_tcpoptions(fin, tcp, tdata)) {
tdata->td_winflags = TCP_WSCALE_SEEN|
TCP_WSCALE_FIRST;
}
if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2))) {
if (fr_tcpoptions(fin, tcp, tdata) == -1)
fin->fin_flx |= FI_BAD;
}
if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN))
fr_checknewisn(fin, is);
@ -1410,6 +1443,7 @@ int flags;
tcp_seq seq, ack, end;
int ackskew, tcpflags;
u_32_t win, maxwin;
int dsize, inseq;
/*
* Find difference between last checked packet and this packet.
@ -1421,9 +1455,28 @@ int flags;
win = ntohs(tcp->th_win);
else
win = ntohs(tcp->th_win) << fdata->td_winscale;
#if 0
/*
* XXX - This is a kludge is here because IPFilter doesn't track SACK
* options in TCP packets. This is not a trivial to do if one is to
* consider the performance impact of it. So instead, if the
* receiver has said SACK is ok, double the allowed window size.
* This is disabled for testing of another workaround for a problem
* with Microsoft Windows - see below.
*/
if ((tdata->td_winflags & TCP_SACK_PERMIT) != 0)
win *= 2;
#endif
/*
* A window of 0 produces undesirable behaviour from this function.
*/
if (win == 0)
win = 1;
dsize = fin->fin_dlen - (TCP_OFF(tcp) << 2) +
((tcpflags & TH_SYN) ? 1 : 0) + ((tcpflags & TH_FIN) ? 1 : 0);
/*
* if window scaling is present, the scaling is only allowed
* for windows not in the first SYN packet. In that packet the
@ -1441,14 +1494,15 @@ int flags;
fdata->td_maxwin = win;
} else {
fdata->td_winscale = 0;
fdata->td_winflags = 0;
fdata->td_winflags &= ~(TCP_WSCALE_FIRST|
TCP_WSCALE_SEEN);
tdata->td_winscale = 0;
tdata->td_winflags = 0;
tdata->td_winflags &= ~(TCP_WSCALE_FIRST|
TCP_WSCALE_SEEN);
}
}
end = seq + fin->fin_dlen - (TCP_OFF(tcp) << 2) +
((tcpflags & TH_SYN) ? 1 : 0) + ((tcpflags & TH_FIN) ? 1 : 0);
end = seq + dsize;
if ((fdata->td_end == 0) &&
(!(flags & IS_TCPFSM) ||
@ -1456,7 +1510,7 @@ int flags;
/*
* Must be a (outgoing) SYN-ACK in reply to a SYN.
*/
fdata->td_end = end;
fdata->td_end = end - 1;
fdata->td_maxwin = 1;
fdata->td_maxend = end + win;
}
@ -1469,9 +1523,6 @@ int flags;
ack = tdata->td_end;
}
if (seq == end)
seq = end = fdata->td_end;
maxwin = tdata->td_maxwin;
ackskew = tdata->td_end - ack;
@ -1486,16 +1537,25 @@ int flags;
#define SEQ_GE(a,b) ((int)((a) - (b)) >= 0)
#define SEQ_GT(a,b) ((int)((a) - (b)) > 0)
if (
#if defined(_KERNEL)
(SEQ_GE(fdata->td_maxend, end)) &&
inseq = 0;
if ((SEQ_GE(fdata->td_maxend, end)) &&
(SEQ_GE(seq, fdata->td_end - maxwin)) &&
#endif
/* XXX what about big packets */
#define MAXACKWINDOW 66000
(-ackskew <= (MAXACKWINDOW << fdata->td_winscale)) &&
( ackskew <= (MAXACKWINDOW << fdata->td_winscale))) {
inseq = 1;
/*
* Microsoft Windows will send the next packet to the right of the
* window if SACK is in use.
*/
} else if ((seq == fdata->td_maxend) && (ackskew == 0) &&
(fdata->td_winflags & TCP_SACK_PERMIT) &&
(tdata->td_winflags & TCP_SACK_PERMIT)) {
inseq = 1;
}
if (inseq) {
/* if ackskew < 0 then this should be due to fragmented
* packets. There is no way to know the length of the
* total packet in advance.
@ -1584,8 +1644,7 @@ ipstate_t *is;
clone->is_flags &= ~SI_CLONE;
clone->is_flags |= SI_CLONED;
fr_stinsert(clone, fin->fin_rev);
MUTEX_ENTER(&clone->is_lock);
clone->is_ref = 1;
clone->is_ref = 2;
if (clone->is_p == IPPROTO_TCP) {
(void) fr_tcp_age(&clone->is_sti, fin, ips_tqtqb,
clone->is_flags);
@ -1770,7 +1829,7 @@ u_32_t cmask;
* Match up any flags set from IP options.
*/
if ((cflx && (flx != (cflx & cmask))) ||
((fin->fin_optmsk & is->is_optmsk) != is->is_opt) ||
((fin->fin_optmsk & is->is_optmsk[rev]) != is->is_opt[rev]) ||
((fin->fin_secmsk & is->is_secmsk) != is->is_sec) ||
((fin->fin_auth & is->is_authmsk) != is->is_auth))
return NULL;
@ -1787,9 +1846,12 @@ u_32_t cmask;
if ((flags & (SI_W_SPORT|SI_W_DPORT))) {
if ((flags & SI_CLONE) != 0) {
is = fr_stclone(fin, tcp, is);
if (is == NULL)
ipstate_t *clone;
clone = fr_stclone(fin, tcp, is);
if (clone == NULL)
return NULL;
is = clone;
} else {
ATOMIC_DECL(ips_stats.iss_wild);
}
@ -1820,8 +1882,14 @@ u_32_t cmask;
ret = -1;
if (is->is_flx[out][rev] == 0)
if (is->is_flx[out][rev] == 0) {
is->is_flx[out][rev] = flx;
is->is_opt[rev] = fin->fin_optmsk;
if (is->is_v == 6) {
is->is_opt[rev] &= ~0x8;
is->is_optmsk[rev] &= ~0x8;
}
}
/*
* Check if the interface name for this "direction" is set and if not,
@ -1867,21 +1935,16 @@ fr_info_t *fin;
/*
* Does it at least have the return (basic) IP header ?
* Is it an actual recognised ICMP error type?
* Only a basic IP header (no options) should be with
* an ICMP error header.
*/
if ((fin->fin_v != 4) || (fin->fin_hlen != sizeof(ip_t)) ||
(fin->fin_plen < ICMPERR_MINPKTLEN))
(fin->fin_plen < ICMPERR_MINPKTLEN) ||
!(fin->fin_flx & FI_ICMPERR))
return NULL;
ic = fin->fin_dp;
type = ic->icmp_type;
/*
* If it's not an error type, then return
*/
if ((type != ICMP_UNREACH) && (type != ICMP_SOURCEQUENCH) &&
(type != ICMP_REDIRECT) && (type != ICMP_TIMXCEED) &&
(type != ICMP_PARAMPROB))
return NULL;
oip = (ip_t *)((char *)ic + ICMPERR_ICMPHLEN);
/*
@ -1944,7 +2007,7 @@ fr_info_t *fin;
*/
savelen = oip->ip_len;
oip->ip_len = len;
oip->ip_off = htons(oip->ip_off);
oip->ip_off = ntohs(oip->ip_off);
ofin.fin_flx = FI_NOCKSUM;
ofin.fin_v = 4;
@ -1972,8 +2035,6 @@ fr_info_t *fin;
switch (oip->ip_p)
{
case IPPROTO_ICMP :
icmp = (icmphdr_t *)((char *)oip + (IP_HL(oip) << 2));
/*
* an ICMP error can only be generated as a result of an
* ICMP query, not as the response on an ICMP error
@ -1981,15 +2042,13 @@ fr_info_t *fin;
* XXX theoretically ICMP_ECHOREP and the other reply's are
* ICMP query's as well, but adding them here seems strange XXX
*/
if ((icmp->icmp_type != ICMP_ECHO) &&
(icmp->icmp_type != ICMP_TSTAMP) &&
(icmp->icmp_type != ICMP_IREQ) &&
(icmp->icmp_type != ICMP_MASKREQ))
if ((ofin.fin_flx & FI_ICMPERR) != 0)
return NULL;
/*
* perform a lookup of the ICMP packet in the state table
*/
icmp = (icmphdr_t *)((char *)oip + (IP_HL(oip) << 2));
hv = (pr = oip->ip_p);
src.in4 = oip->ip_src;
hv += src.in4.s_addr;
@ -2008,10 +2067,6 @@ fr_info_t *fin;
is = fr_matchsrcdst(&ofin, is, &src, &dst,
NULL, FI_ICMPCMP);
if (is != NULL) {
if ((is->is_pass & FR_NOICMPERR) != 0) {
RWLOCK_EXIT(&ipf_state);
return NULL;
}
/*
* i : the index of this packet (the icmp
* unreachable)
@ -2774,6 +2829,11 @@ int why;
if (ipstate_logging != 0 && why != 0)
ipstate_log(is, why);
if (is->is_p == IPPROTO_TCP)
ips_stats.iss_fin++;
else
ips_stats.iss_expire++;
if (is->is_rule != NULL) {
is->is_rule->fr_statecnt--;
(void)fr_derefrule(&is->is_rule);
@ -2800,9 +2860,7 @@ void fr_timeoutstate()
ipftq_t *ifq, *ifqnext;
ipftqent_t *tqe, *tqn;
ipstate_t *is;
#if defined(USE_SPL) && defined(_KERNEL)
int s;
#endif
SPL_INT(s);
SPL_NET(s);
WRITE_ENTER(&ipf_state);
@ -2872,9 +2930,7 @@ int which, proto;
int delete, removed;
long try, maxtick;
u_long interval;
#if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
int s;
#endif
SPL_INT(s);
removed = 0;
@ -2903,10 +2959,6 @@ int which, proto;
}
if (delete) {
if (is->is_p == IPPROTO_TCP)
ips_stats.iss_fin++;
else
ips_stats.iss_expire++;
fr_delstate(is, ISL_FLUSH);
removed++;
} else
@ -3042,7 +3094,7 @@ int flags;
rval = 0;
dir = fin->fin_rev;
tcpflags = tcp->th_flags;
dlen = fin->fin_plen - fin->fin_hlen - (TCP_OFF(tcp) << 2);
dlen = fin->fin_dlen - (TCP_OFF(tcp) << 2);
if (tcpflags & TH_RST) {
if (!(tcpflags & TH_PUSH) && !dlen)
@ -3180,13 +3232,34 @@ int flags;
break;
case IPF_TCPS_HALF_ESTAB: /* 4 */
if (ostate >= IPF_TCPS_HALF_ESTAB) {
if ((tcpflags & TH_ACKMASK) == TH_ACK) {
if (tcpflags & TH_FIN) {
nstate = IPF_TCPS_FIN_WAIT_1;
rval = 1;
} else if ((tcpflags & TH_ACKMASK) == TH_ACK) {
/*
* If we've picked up a connection in mid
* flight, we could be looking at a follow on
* packet from the same direction as the one
* that created this state. Recognise it but
* do not advance the entire connection's
* state.
*/
switch (ostate)
{
case IPF_TCPS_CLOSED :
case IPF_TCPS_SYN_SENT :
case IPF_TCPS_SYN_RECEIVED :
rval = 1;
break;
case IPF_TCPS_HALF_ESTAB :
case IPF_TCPS_ESTABLISHED :
nstate = IPF_TCPS_ESTABLISHED;
rval = 1;
break;
default :
break;
}
}
break;
case IPF_TCPS_ESTABLISHED: /* 5 */
@ -3316,9 +3389,6 @@ int flags;
(u_long)tcp, tcpflags, (u_long)tqe,
nstate, ostate);
# endif
# ifdef DIAGNOSTIC
panic("invalid TCP state");
# endif
#else
abort();
#endif
@ -3442,20 +3512,16 @@ fr_info_t *fin;
/*
* Does it at least have the return (basic) IP header ?
* Is it an actual recognised ICMP error type?
* Only a basic IP header (no options) should be with
* an ICMP error header.
*/
if ((fin->fin_v != 6) || (fin->fin_plen < ICMP6ERR_MINPKTLEN))
if ((fin->fin_v != 6) || (fin->fin_plen < ICMP6ERR_MINPKTLEN) ||
!(fin->fin_flx & FI_ICMPERR))
return NULL;
ic6 = fin->fin_dp;
type = ic6->icmp6_type;
/*
* If it's not an error type, then return
*/
if ((type != ICMP6_DST_UNREACH) && (type != ICMP6_PACKET_TOO_BIG) &&
(type != ICMP6_TIME_EXCEEDED) && (type != ICMP6_PARAM_PROB))
return NULL;
oip6 = (ip6_t *)((char *)ic6 + ICMPERR_ICMPHLEN);
if (fin->fin_plen < sizeof(*oip6))

10
sys/contrib/ipfilter/netinet/ip_state.h
View file

@ -1,17 +1,15 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
* Id: ip_state.h,v 2.68.2.3 2005/03/03 14:24:11 darrenr Exp
* $Id: ip_state.h,v 2.68.2.5 2005/08/20 13:48:25 darrenr Exp $
*/
#ifndef __IP_STATE_H__
#define __IP_STATE_H__
#if defined(__STDC__) || defined(__GNUC__)
#if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
# define SIOCDELST _IOW('r', 61, struct ipfobj)
#else
# define SIOCDELST _IOW(r, 61, struct ipfobj)
@ -60,8 +58,8 @@ typedef struct ipstate {
u_char is_v;
u_32_t is_hv;
u_32_t is_tag;
u_32_t is_opt; /* packet options set */
u_32_t is_optmsk; /* " " mask */
u_32_t is_opt[2]; /* packet options set */
u_32_t is_optmsk[2]; /* " " mask */
u_short is_sec; /* security options set */
u_short is_secmsk; /* " " mask */
u_short is_auth; /* authentication options set */

29
sys/contrib/ipfilter/netinet/ip_sync.c
View file

@ -1,5 +1,3 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1995-1998 by Darren Reed.
*
@ -98,7 +96,7 @@ struct file;
/* END OF INCLUDES */
#if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_sync.c,v 2.40.2.3 2005/02/18 13:06:29 darrenr Exp";
static const char rcsid[] = "@(#)$Id: ip_sync.c,v 2.40.2.5 2005/09/04 12:51:12 darrenr Exp $";
#endif
#define SYNC_STATETABSZ 256
@ -231,8 +229,10 @@ ipstate_t *ips;
ips->is_die = htonl(ips->is_die);
ips->is_pass = htonl(ips->is_pass);
ips->is_flags = htonl(ips->is_flags);
ips->is_opt = htonl(ips->is_opt);
ips->is_optmsk = htonl(ips->is_optmsk);
ips->is_opt[0] = htonl(ips->is_opt[0]);
ips->is_opt[1] = htonl(ips->is_opt[1]);
ips->is_optmsk[0] = htonl(ips->is_optmsk[0]);
ips->is_optmsk[1] = htonl(ips->is_optmsk[1]);
ips->is_sec = htons(ips->is_sec);
ips->is_secmsk = htons(ips->is_secmsk);
ips->is_auth = htons(ips->is_auth);
@ -246,8 +246,10 @@ ipstate_t *ips;
ips->is_die = ntohl(ips->is_die);
ips->is_pass = ntohl(ips->is_pass);
ips->is_flags = ntohl(ips->is_flags);
ips->is_opt = ntohl(ips->is_opt);
ips->is_optmsk = ntohl(ips->is_optmsk);
ips->is_opt[0] = ntohl(ips->is_opt[0]);
ips->is_opt[1] = ntohl(ips->is_opt[1]);
ips->is_optmsk[0] = ntohl(ips->is_optmsk[0]);
ips->is_optmsk[1] = ntohl(ips->is_optmsk[1]);
ips->is_sec = ntohs(ips->is_sec);
ips->is_secmsk = ntohs(ips->is_secmsk);
ips->is_auth = ntohs(ips->is_auth);
@ -442,21 +444,26 @@ struct uio *uio;
l = get_sleep_lock(&sl_tail);
err = sleep(&sl_tail, PZERO+1);
if (err) {
MUTEX_EXIT(&ipsl_mutex);
return EINTR;
}
spinunlock(l);
}
# else /* __hpux */
# ifdef __osf__
err = mpsleep(&sl_tail, PSUSP|PCATCH, "ipl sleep", 0,
&ipsl_mutex, MS_LOCK_SIMPLE);
if (err)
return EINTR;
# else
MUTEX_EXIT(&ipsl_mutex);
err = SLEEP(&sl_tail, "ipl sleep");
if (err)
return EINTR;
MUTEX_ENTER(&ipsl_mutex);
# endif /* __osf__ */
# endif /* __hpux */
if (err) {
MUTEX_EXIT(&ipsl_mutex);
return err;
}
# endif /* SOLARIS */
}
MUTEX_EXIT(&ipsl_mutex);

4
sys/contrib/ipfilter/netinet/ip_sync.h
View file

@ -1,12 +1,10 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
* Id: ip_sync.h,v 2.11.2.2 2004/11/04 19:29:07 darrenr Exp
* $Id: ip_sync.h,v 2.11.2.2 2004/11/04 19:29:07 darrenr Exp $
*/
#ifndef __IP_SYNC_H__

8
sys/contrib/ipfilter/netinet/ipl.h
View file

@ -1,19 +1,17 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipl.h 1.21 6/5/96
* Id: ipl.h,v 2.52.2.9 2005/03/30 14:14:05 darrenr Exp
* $Id: ipl.h,v 2.52.2.11 2005/12/04 22:37:24 darrenr Exp $
*/
#ifndef __IPL_H__
#define __IPL_H__
#define IPL_VERSION "IP Filter: v4.1.8"
#define IPL_VERSION "IP Filter: v4.1.10"
#define IPFILTER_VERSION 4010800
#define IPFILTER_VERSION 4011000
#endif

3
sys/contrib/ipfilter/netinet/mlfk_ipl.c
View file

@ -1,5 +1,3 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2000 by Darren Reed.
*
@ -102,6 +100,7 @@ static struct cdevsw ipl_cdevsw = {
.d_open = iplopen,
.d_close = iplclose,
.d_read = iplread,
.d_write = iplwrite,
.d_ioctl = iplioctl,
.d_name = "ipl",
# if __FreeBSD_version < 600000